Merge

.github/workflows/ci-cd.yml

@@ -5,9 +5,9 @@ on:
   workflow_dispatch:
   push:
     branches: ["main"]
-  pull_request:
+  #pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    # branches: [ "main" ]
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
@@ -31,25 +31,25 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: 0.117.0
+      HUGO_VERSION: 0.121.2
     steps:
       - name: Install Hugo CLI
         run: |
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
           && sudo dpkg -i ${{ runner.temp }}/hugo.deb
 
       - name: Checkout 🛎️
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '16'
 
       - name: Cache dependencies
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -67,7 +67,7 @@ jobs:
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v3
+        uses: actions/configure-pages@v4
 
       - name: Install Node.js dependencies
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
@@ -83,7 +83,7 @@ jobs:
             --baseURL "${{ steps.pages.outputs.base_url }}/"
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v2
+        uses: actions/upload-pages-artifact@v3
         with:
           path: ./public
 
@@ -97,4 +97,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages 🚀
         id: deployment
-        uses: actions/deploy-pages@v2
+        uses: actions/deploy-pages@v4

.gitignore

@@ -4,5 +4,6 @@
 .hugo_build.lock
 hugo_stats.json
 node_modules/
+node_modules
 public/
-resources/
+resources/

content/docs/Devops/SCM/git.md

@@ -152,4 +152,35 @@ Set some usefull aliases inside your `~/.gitconfig`:
 [color]
     # enable colours for diff, log, etc.
     ui = true
-```
+```
+
+## Git submodules
+
+```bash
+# Initialisation a new project (here an ansible collection)
+git clone https://<username>:<token>@gitlab.example.com/group/namespace.general.git
+ansible-galaxy collection init namespace.general
+git add -A &&  git commit -m "Initialisation" && git push 
+
+# Add submodules 
+git submodule add https://<username>:<token>@gitlab.example.com/group/namespace.another.git
+git submodule add https://<username>:<token>@gitlab.example.com/group/namespace.second.git
+git add -A &&  git commit -m "Initialisation" && git push 
+
+# Update submodules
+cd namespace/general
+git pull --recurse-submodules     #Fetch and show if there were changes from submodule
+git submodule update --remote
+git add -A
+git commit -am "message"
+git push
+
+# Update to last tag
+cd namespace/general/my/submodule
+git fetch && git tag | tail -1
+git checkout $(git tag | tail -1) 
+cd ../..
+git add my/submodule
+git commit -m "update submodules"
+git push
+```

content/docs/Kubernetes/k8s_functions.md → content/docs/Kubernetes/bash_functions.md

@@ -1,6 +1,6 @@
 ---
 date: 2023-08-01T21:00:00+08:00
-title: 🐣 Bash Functions for Kubernetes
+title: 🐣 Bash Functions for k8s
 navWeight: 50 # Upper weight gets higher precedence, optional.
 series:
   - Shell

content/docs/Kubernetes/certmanager.md

@@ -1,6 +1,6 @@
 ---
 date: 2023-08-01T21:00:00+08:00
-title: 📜 CertManager on kubernetes
+title: 📜 CertManager
 navWeight: 50 # Upper weight gets higher precedence, optional.
 series:
   - Infrastructure

content/docs/Kubernetes/operator_sdk.md

@@ -0,0 +1,17 @@
+---
+date: 2023-08-01T21:00:00+08:00
+title: 🚀 Operator SDK
+navWeight: 50 # Upper weight gets higher precedence, optional.
+series:
+  - Infrastructure
+  - Gitops
+categories:
+  - Kubernetes
+---
+
+
+## Init an Ansible project
+operator-sdk init --plugins=ansible  --domain example.org --owner "Your name"
+
+## Create first role
+operator-sdk create api --group app  --version v1alpha1 --kind Deployment --generate-role

content/docs/Kubernetes/vault.md

@@ -1,10 +1,221 @@
 ---
 date: 2023-08-01T21:00:00+08:00
-title: 🔒 Vault on kubernetes
+title: 🔒 Vault on k8s
 navWeight: 50 # Upper weight gets higher precedence, optional.
 series:
   - Infrastructure
   - Certificates
 categories:
   - Kubernetes
----
+---
+
+Some time ago, I made a small shell script to handle Vault on a cluster kubernetes. For documentation purpose. 
+
+## Install Vault with helm 
+
+```bash
+#!/bin/bash
+
+## Variables 
+DIRNAME=$(dirname $0)
+DEFAULT_VALUE="vault/values-override.yaml"
+NewAdminPasswd="PASSWORD"
+PRIVATE_REGISTRY_USER="registry-admin"
+PRIVATE_REGISTRY_PASSWORD="PASSWORD"
+PRIVATE_REGISTRY_ADDRESS="registry.example.com"
+DOMAIN="example.com"
+INGRESS="vault.${DOMAIN}"
+
+if [ -z ${CM_NS+x} ];then
+  CM_NS='your-namespace'
+fi
+
+if [ -z ${1+x} ]; then
+  VALUES_FILE="${DIRNAME}/${DEFAULT_VALUE}"
+  echo -e "\n[INFO] Using default values file '${DEFAULT_VALUE}'"
+else
+  if [ -f $1 ]; then
+    echo -e "\n[INFO] Using values file $1"
+    VALUES_FILE=$1
+  else
+    echo -e "\n[ERROR] No file exist $1"
+    exit 1
+  fi
+fi
+
+## Functions 
+function checkComponentsInstall() {
+    componentsArray=("kubectl" "helm")
+    for i in "${componentsArray[@]}"; do
+      command -v "${i}" >/dev/null 2>&1 ||
+        { echo "${i} is required, but it's not installed. Aborting." >&2; exit 1; }
+    done
+}
+
+function createSecret() {
+kubectl get secret -n ${CM_NS} registry-pull-secret --no-headers 2> /dev/null \
+|| \
+kubectl create secret docker-registry -n ${CM_NS} registry-pull-secret \
+  --docker-server=${PRIVATE_REGISTRY_ADDRESS} \
+  --docker-username=${PRIVATE_REGISTRY_USER} \
+  --docker-password=${PRIVATE_REGISTRY_ADDRESS}
+}
+
+function installWithHelm() {
+helm dep update ${DIRNAME}/helm
+
+helm upgrade --install vault ${DIRNAME}/helm \
+--namespace=${CM_NS} --create-namespace \
+--set global.imagePullSecrets.[0]=registry-pull-secret \
+--set global.image.repository=${PRIVATE_REGISTRY_ADDRESS}/hashicorp/vault-k8s \
+--set global.agentImage.repository=${PRIVATE_REGISTRY_ADDRESS}/hashicorp/vault \
+--set ingress.hosts.[0]=${INGRESS} \
+--set ingress.enabled=true \
+--set global.leaderElection.namespace=${CM_NS}
+
+echo -e "\n[INFO] sleep 30s" && sleep 30
+}
+
+checkComponentsInstall
+createSecret
+installWithHelm
+```
+
+
+## Init Vault on kubernetes
+
+Allow local kubernetes to create and reach secret on the Vault 
+
+```bash
+#!/usr/bin/bash
+
+## Variables 
+DIRNAME=$(dirname $0)
+KEY_SHARES="3"
+KEY_THRESHOLD="2"
+INIT_LOG="vault.log"
+
+if [ -z ${VAULT_NS+x} ];then
+  VAULT_NS='your-namespace'
+fi
+
+if [ -z ${1+x} ]; then
+  VALUES_FILE="${DIRNAME}/${DEFAULT_VALUE}"
+  echo "INFO: Using default values file '${DEFAULT_VALUE}'"
+else
+  if [ -f $1 ]; then
+    echo "INFO: Using values file $1"
+    VALUES_FILE=$1
+  else
+    echo "ERROR: No file exist $1"
+    exit 1
+  fi
+fi
+
+function initVault() {
+  while [[ $(kubectl -n ${VAULT_NS} get pod vault-0 --no-headers | awk '{print $3}') != 'Running' ]]; do
+    kubectl -n ${VAULT_NS} get pod vault-0 --no-headers; sleep 5;
+  done
+
+  if [[ $(kubectl -n ${VAULT_NS} exec vault-0 -- vault status 2> /dev/null | awk '/Initialized / {print $2}') == "true" ]]; then
+    echo "Vault is already Initialized!"
+  else
+    echo "Vault is not init. Start Initializing...";
+    kubectl -n ${VAULT_NS} exec -ti vault-0 -- vault operator init -key-shares=${KEY_SHARES} -key-threshold=${KEY_THRESHOLD} > ${INIT_LOG}
+  fi
+}
+
+function unsealVault() {
+  if [[ "$(kubectl -n ${VAULT_NS} exec vault-0 -- vault status 2>/dev/null | awk '/Sealed / {print $2}')" == "false" ]]; then
+    echo "Vault already unsealed!"
+  else
+    if [[ -f "${INIT_LOG}" ]]; then
+      arrayOfVaultKeys=()
+
+      echo "Import unseal keys"
+      for i in $(seq 1 "$(awk '/Unseal Key/ {print $4}' ${INIT_LOG} | wc -l)"); do
+        arrayOfVaultKeys+=("$(awk "/Unseal Key ${i}:/ {print \$4}" ${INIT_LOG})")
+      done
+
+      echo "Starting unseal..."
+      for i in "${arrayOfVaultKeys[@]}"; do
+        if [[ "$(kubectl -n ${VAULT_NS} exec vault-0 -- vault status 2>/dev/null | awk '/Sealed / {print $2}')" == "true" ]]; then
+          kubectl -n ${VAULT_NS} exec vault-0 -- vault operator unseal "${i}"
+        else
+          break
+        fi
+      done
+
+    else
+      echo -e "[ERROR] There is no ${INIT_LOG} file with unseal keys and root token. Aborting."; exit 1;
+    fi
+  fi
+}
+
+function enableVaultK8sAuth() {
+
+  vaultRootToken=$(awk "/Initial Root Token:/ {print \$4}" ${INIT_LOG})
+  kubectl -n ${VAULT_NS} exec vault-0 -- vault login "${vaultRootToken}";
+
+  if [[ $(kubectl -n ${VAULT_NS} exec vault-0 -- vault auth list | awk '/kubernetes/ {print $1}') == "kubernetes/" ]]; then
+    echo "kubernetes auth already enabled!"
+  else
+
+    kubectl -n ${VAULT_NS} exec vault-0 -- vault auth enable kubernetes;
+    tokenReviewerJwt=$(kubectl -n ${VAULT_NS} exec vault-0 -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+    k8sAddress=$(kubectl -n ${VAULT_NS} exec vault-0 -- ash -c 'echo $KUBERNETES_SERVICE_HOST')
+
+    kubectl -n ${VAULT_NS} exec vault-0 -- vault write auth/kubernetes/config issuer="https://kubernetes.default.svc.cluster.local" \
+      token_reviewer_jwt="${tokenReviewerJwt}" \
+      kubernetes_host="https://${k8sAddress}:443" \
+      kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  fi
+}
+
+function addVaultPermission() {
+  kubectl -n ${VAULT_NS} exec vault-0 -- ash -c 'cat << EOF > /tmp/policy.hcl
+path "avp/data/test" { capabilities = ["read"] }
+EOF'
+
+  kubectl -n ${VAULT_NS} exec vault-0 -- vault policy write argocd-repo-server /tmp/policy.hcl
+
+  kubectl -n ${VAULT_NS} exec vault-0 -- vault write auth/kubernetes/role/argocd-repo-server \
+  	bound_service_account_names=argocd-repo-server \
+    bound_service_account_namespaces=argocd policies=argocd-repo-server
+}
+
+function addVaultSecret() {
+  if [[ $(kubectl -n ${VAULT_NS} exec vault-0 -- vault secrets list | awk '/avp\// {print $1}') == "avp/" ]]; then
+    echo -e "\n[INFO] Vault avp secret path already exist"
+  else 
+    kubectl -n ${VAULT_NS} exec vault-0 -- vault secrets enable -path=avp -version=2 kv
+  fi
+    kubectl -n ${VAULT_NS} exec vault-0 -- vault kv put avp/test sample=secret
+}
+
+
+function testSampleSecret() {
+  if [[ $(kubectl -n default get secret example-secret -o jsonpath='{.data}') == '{"sample-secret":"c2VjcmV0"}' ]]; then
+    echo -e "\n[OK] Secret created successfully"
+  else
+    echo -e "\n[ERROR] FAIL. Secret created unsuccessfully"
+  fi
+}
+
+function displayVault() {
+    cat << EOF
+Vault available in  http://localhost:8081  with:
+Token: ${vaultRootToken}
+EOF
+
+}
+
+installVault
+initVault
+unsealVault
+enableVaultK8sAuth
+addVaultPermission
+addVaultSecret
+testSampleSecret
+displayVault
+```

content/news/how-to-create-this-blog/index.md

@@ -290,7 +290,9 @@ Taxonomies are classifications of logical relationships between content. Underst
 
 To deploy the blog, I simply use Github Wokflow which build and publish it with Github Pages. Here, you can adopt several strategy for your own deployment.  
 
-I started with everytime that I was pushing the code, it deploy. It gave me no time after saving to read again my articles. Then I put it on `workflow_dispatch`, so I manually trigger the workflow to publish it. But the proper way to do, I just push on branch call `gh-pages` then merge it with the main so it trigger the publication only when it arrive on the main branch.   
+I started with everytime that I was pushing the code, it deploy. It gave me no time after saving to read again my articles. Then I put it on `workflow_dispatch`, so I manually trigger the workflow to publish it. But the proper way to do, I just push on branch `gh-pages` which is set as the default then merge it with the main so it trigger the publication only when it arrive on the main branch.   
+
+In the settings for branch protection, an option "Require a pull request before merging" prevent to directly commit on `main`.   
 
 I will not put all the workflow code, his you can get it [here](https://github.com/MozeBaltyk/mozebaltyk.github.io/tree/main/.github/workflows).    
 

content/news/wsl-beauty/index.md

@@ -58,7 +58,7 @@ Here some shortcut in *Windows Terminal* but not only 😉 :
   - `ctrl shift t`     :  terminal 
   - `ctrl shift n`     :  new windows
   - `ctrl alt 1 2 3`   :  changer de fenetre 
-  - `Windows + v`      :  see you paste buffer 
+  - `Windows + v`      :  see the paste buffer 
   - `Alt Shift`   +    :  split vertical 
   - `Alt shit`    -    :  split horizontal
   - `Alt arrow`        :  to change panel